-
Bug
-
Resolution: Fixed
-
Major
-
None
-
None
On Thursday, August 10th, the maintainers of the open source Linux
kernel released a patch which closes a race condition in the kernel’s
UDP Fragmentation Offload (UFO) handler as will be described in
CVE-2017-1000112(details not yet posted by the maintainers as of this
notification). This race condition requires unprivileged user
namespace to be enabled in the Linux kernel for successful exploit,
which is the default configuration for most Linux kernel
distributions. If exploited, this vulnerability allows a local
unprivileged user to execute arbitrary code at root-level privilege
from application space. Further, when attempts to exploit the
vulnerability fail, the kernel can become corrupted, resulting in
denial-of-service to the system. The severity of this vulnerability
is scored externally as:
· 7.0 (High) - CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
The vulnerability was introduced on October 18th, 2005, and all Linux
kernel releases since then are affected – including most popular Linux
distributions.
Links to Relevant Research & Material:
· http://www.openwall.com/lists/oss-security/2017/08/13/1 and sub-links
· https://access.redhat.com/security/cve/cve-2017-1000112
· http://seclists.org/oss-sec/2017/q3/277
· http://www.securityfocus.com/bid/100262/info
https://security-tracker.debian.org/tracker/CVE-2017-1000112